Scathing report reveals cascade of errors in Microsoft in Chinese cyber breach

A sequence of "avoidable errors" by the tech giant enabled a break into Microsoft systems that was ascribed to a Chinese hacker organization, according to a damning study published by the US Cyber Safety Review Board (CSRB).

The US Department of Homeland Security oversaw the seven-month probe, which examined the hack connected to the Chinese cyberespionage actor Storm-0558.

Several prominent US officials' personal and professional emails were exposed by the incident, which was first discovered by the US State Department in June 2023. These officials included US Ambassador to China Nicholas Burns and Commerce Secretary Gina Raimondo.

The fundamental activity of Microsoft is the supply of cloud computing services, including Office360 and Azure, which house sensitive data and power commercial and government activities in several economic sectors.

The CSRB found that Microsoft's corporate culture was "inconsistent with the company's pivotal role in the technology ecosystem and the level of trust customers place in the company." The report was revealed on Monday and attacked the corporation's corporate culture.

"Cloud computing stands as some of the most critical infrastructure we have, given its role in hosting sensitive data and powering operations across our economy," said Robert Silvers, Chair of the CSRB. "It is imperative that cloud service providers prioritize security and embed it by design."

The study found that Microsoft made a number of operational and strategic errors that helped to enable the hack. Among these errors was the 2021 corporate acquisition-related inability to identify a hacked laptop that belonged to a recently hired employee. The investigation also brought attention to Microsoft's noncompliance with security guidelines that other cloud service providers like Google, Amazon, and Oracle have in place.

"The Board concludes that this breach was avoidable and should have never occurred," according to the report, pointing out "the cascade of avoidable errors by Microsoft that enabled this intrusion to succeed."

The study also suggested that Microsoft create and make available to the public a strategy that specifies when it would begin to adopt extensive security changes to all of its products and procedures.

Storm-0558 and related threat actors are described as "persistent and pernicious threats" by CSRB Deputy Chair Dmitri Alperovitch. They have "the capability and intention to compromise identity systems to access sensitive data, including the emails of individuals of interest to the Chinese government."

The government thanked Microsoft for its complete cooperation with the evaluation process, despite the corporation not immediately responding to demands for comment.

Microsoft has revealed intentions to completely rewrite its software security in reaction to the hack and other such cybersecurity events in recent years.

The CSRB was formed by the White House to operate as an impartial inquiry body for significant cyber events that affect vital infrastructure within the United States.

Source: AFP